artswrapper defanged

[Andreas Pour]

Stefan Westerfeld wrote:

[ ... ]

> Why? The CPU-monitoring artsd itself does is sufficient for the case where
> your user is not your enemy. On my home machine, my user (that is: me)
> is not my enemy. Thus it is safe to run artswrapper there, as bugs are
> catched by the self monitoring just fine.

I don't think you have to assume the user is your enemy.  Given the
complexity of the system, the data may well be your enemy - e.g. say
there is a buffer overflow vulnerability or infinite loop possibility in
Ogg Vorbis, then someone can freeze your system by feeding a carefully
crafted audio file to you.

Of course a malicious user is the easiest way to exploit a hole.

> > > I think such attacks are also detectable by an external watchdog process,
> > > which has the following properties:
> > >
> > > (a) it runs at higher priority than artswrapper
> > > (b) it _never_ terminates
> > > (c) it can't be terminated by anybody (but root)
> > > (d) it controls whether an application can aquire realtime rights or not
> >
> > I don't see why this part is necessary.
> 
> If you don't have (d), then the DoS attack can do as follows:
> 
> while true
> do
>   start artswrapper
>   do DoS exploit
>   wait until artsd has been depriorized
>   kill it again
> done
> 
> which is a close-to-99.99% effective DoS attack.

You can fight that by having the monitor place a timestamp in a file
when a deprioritization occurred, and refuse to start a new high
priority process for some time lag - say 5 seconds - after that, maybe
incrementing each time a deprioritization occurs within a specified
window.  This just requires a file with two fields, a time stamp and
counter.  The point really just needs to be to stop the resource usage
long enough that someone has a chance to fix the system.
 
> > > (e) it spawns a low priority process and watches whether this process gets
> > >     CPU time or not
> >
> > One way to do it.
> >
> > > (f) it depriorizes all other realtime processes IFF the low priority process
> > >     is dead for a while, and disallows acquiring realtime rights for a certain
> > >       amount of time (60 seconds or so)
> > >
> > > These properties might make it possible to defend a system even against
> > > malicious users trying to abuse realtime priorized applications. Note that
> > > the user could still cause significant pauses, but the system would remain
> >
> > At least one pause; then you can ask the user before re-prioritizing them.
> 
> You can not ask the user, as the user is the one who is your enemy, in the
> scenario of local DoS. He could find an automatic way of saying "yes"
> automatically and do the 99.99% DoS thing.

Right, but I am thinking there are ways to exploit this besides a
malicious user, even if we haven't found them yet.  Given the large
numbers of modules / apps that can be launched RT, I would be surprised
if one of them will not have a data-dependent exploit at some point in
the future (take, for example, the recent data-dependent exploit in
Apache - this did not require a malicious local user).
 
> > > "life" in the long run. But, it seems that such a watchdog would be
> > >
> > >  - somewhat non-portable
> >
> > Which part, for a system that supports real-time now?
> 
> The "process listing / acquiring cpu usage" part, for which no portable
> solution exists.

Maybe so.  Still, there are some systems - including the most
commonly-used one - where a solution does exist.
 
> > >  - quite ugly (because you can't kill it as user - if you could, you could
> > >    kill it and then do your DoS attack)
> >
> > What is ugly about that?  No more ugly than "ulimit", which you also cannot
> > change as a user.
> 
> Subjective feeling on my part. I would be scared if I logged into KDE and saw
> this "artsguard" process running, which I could not kill anymore.

Well, you should be able to kill it as root.  You cannot kill httpd as a
user either, or initd, or many other processes.
 
[ ... ]

> Well, it is a big problem if KDE ships it enabled by default, because then
> again, people will complain about it.

Then provide a way to turn it off.

> This time not against artsd possibly
> tearing their system down, but about artsguard possibly destroying their
> pet realtime processes. I know that the number of people affected by this
> is smaller than the number of people affected by the problem now, but it kind-
> of indicates that the solution is wrong.

Ibid.
 
[ ... ]

> > > Writing the external unkillable watchdog will add an extremely ugly piece of
> > > code. I don't think users will be happy to see "artsguard" running even after
> > > they logged out of KDE (but it has to, for if you could terminate it,...).
> >
> > It could kill itself when no real-time processes are running any more.  For
> > most people, that would be when they exit KDE.
> 
> Well, the problem is atomicity here. I am not sure if it is possible to get
> an atomic snapshot of the process table. If it would be possible, you could
> kill yourself when the atomic snapshot doesn't contain any RT processes any
> longer. However, if atomicity can not be granted, the exploit of the guard
> system will be to fork() and kill the exit process multiple times and hope
> that the system will fail to see the old process (which is already gone) but
> not see the new process yet.

Right, you are suggesting that 'getpriority(PRIO_USER, getuid())' does
not work atomically?  Even when the process making the call has a higher
priority than the processes you want atomicity against (since the
process table is always in memory you need not worry about a swap during
the call)?  That would be a greater challenge then, granted, but it
would also seem to be a bad implementation.

> I just considered the solution that this might be used to fool a watchdog,
> but I am not sure if thats a realistic scenario, given that I don't know
> what strategies can be used under different platforms to get a list of all
> processes, and whether these strategies guarantee atomicity under various
> conditions.

Perhaps a sensible approach is to disable RT by default on systems for
which no solution exists, and count on users of those systems to help
with a solution if they would like RT by default.  Personally I would
think that Linux users are the most likely to not change default values
or understand the issues, so a solution there would be most beneficial.

[ ... ]

Ciao,

Dre